基于谱聚类的访问控制异常权限配置挖掘机制

房梁; 殷丽华; 李凤华; 方滨兴

doi:10.11959/j.issn.1000-436x.2017285

您当前的位置：

首页 >

文章列表页 >

基于谱聚类的访问控制异常权限配置挖掘机制

学术论文 | 更新时间：2024-06-05

- 基于谱聚类的访问控制异常权限配置挖掘机制
- Spectral-clustering-based abnormal permission assignments hunting framework
- 通信学报 2017年38卷第12期页码：63-72
- 作者机构：
  
  1. 北京邮电大学网络空间安全学院，北京 100876
  2. 中国科学院信息工程研究所信息安全国家重点实验室，北京 100093
  3. 广州大学网络空间先进技术研究院，广东广州 510006
  4. 电子科技大学广东电子信息工程研究院，广东东莞 523808
- 作者简介：
  
  [ "房梁（1989-），男，山西太原人，北京邮电大学博士生，主要研究方向为信息安全、访问控制。" ]
  [ "殷丽华（1973-），女，辽宁朝阳人，博士，广州大学教授、博士生导师，主要研究方向为信息安全、安全性评估。" ]
  [ "李凤华（1966-），男，湖北浠水人，博士，中国科学院信息工程研究所副总工、研究员、博士生导师，主要研究方向为网络与系统安全、信息保护、隐私计算。" ]
  [ "方滨兴（1960-），男，江西万年人，中国工程院院士、广州大学教授，主要研究方向为计算机体系结构、计算机网络与信息安全。" ]
- 基金信息：
  
  国家重点研发计划基金资助项目(2016YFB0801001);国家自然科学基金资助项目(61672515);东莞市引进创新科研团队计划基金资助项目(201636000100038)
- DOI：10.11959/j.issn.1000-436x.2017285
  中图分类号： TP309.2
- 网络出版日期：2017-12，
  
  纸质出版日期：2017-12-25
- 稿件说明：
移动端阅览
房梁, 殷丽华, 李凤华, 等. 基于谱聚类的访问控制异常权限配置挖掘机制[J]. 通信学报, 2017,38(12):63-72.

Liang FANG, Li-hua YIN, Feng-hua LI, et al. Spectral-clustering-based abnormal permission assignments hunting framework[J]. Journal on communications, 2017, 38(12): 63-72.
房梁, 殷丽华, 李凤华, 等. 基于谱聚类的访问控制异常权限配置挖掘机制[J]. 通信学报, 2017,38(12):63-72. DOI： 10.11959/j.issn.1000-436x.2017285.

Liang FANG, Li-hua YIN, Feng-hua LI, et al. Spectral-clustering-based abnormal permission assignments hunting framework[J]. Journal on communications, 2017, 38(12): 63-72. DOI： 10.11959/j.issn.1000-436x.2017285.

摘要

将强制访问控制、自主访问控制等访问控制系统迁移为基于角色的访问控制系统可极大提高对用户权限的管理效率。为保证系统的安全性需要在迁移过程中生成正确的角色，而原系统中存在的异常权限配置给角色生成带来了极大的挑战。忽略这些异常权限配置将导致生成的角色中包含错误的权限，增加信息泄露的概率。针对访问控制中的异常权限配置发现问题，提出一种基于谱聚类的异常权限配置挖掘机制。实验结果证明，所提方案可以实现更准确的权限配置发现。

Abstract

Migrating traditional access control

such as mandatory and discretionary access control

into role-based access control(RBAC)lightens a practical way to improve the user-permission management efficiency.To guarantee the security of RBAC system

it is important to generate proper roles during the migration.However

abnormal user-permission configurations lead to wrong roles and cause tremendous security risks.To hunt the potential abnormal user-permission configurations

a novel spectral clustering based abnormal configuration hunting framework was proposed and recommendations were given to correct these configurations.Experimental results show its performance over existing solutions.

关键词

Keywords

references

ZHANG D , RAMAMOHANARAO K , EBRINGER T , et al . Permission set mining:discovering practical and useful roles [C ] // The 24th Annual Computer Security Applications Conference . 2008 : 247 - 256 .

YOUNIS Y A , KIFAYAT K , MERABTI M . An access control model for cloud computing [J ] . Journal of Information Security and Applications , 2014 , 19 ( 1 ): 45 - 60 .

李凤华 , 王彦超 , 殷丽华 , 等 . 面向网络空间的访问控制模型 [J ] . 通信学报 , 2016 , 37 ( 5 ): 9 - 20 .

LI F H , WANG Y C , YIN L H , et al . Novel cyberspace-oriented access control model [J ] . Journal on Communications , 2016 , 37 ( 5 ): 9 - 20 .

YU X , XU P , ZHANG T , et al . Research and implementation of role-based access control model of fundamental spatial database system of Jilin water resources [C ] // The 2013 International Conference on Information System and Engineering Management . 2013 : 83 - 86 .

WANG Y C , LI F H , XIONG J B , et al . Achieving lightweight and secure access control in multi-authority cloud [C ] // The 14th IEEE International Conference on Trust,Security and Privacy in Computing and Communications . 2015 : 459 - 466 .

VAIDYA J , ATLURI V , GUO Q . The role mining problem:a formal perspective [J ] . ACM Transactions on Information and System Security , 2010 , 13 ( 3 ).

MOLLOY I , LI N.H , QI A , et al . Mining roles with noisy data [C ] // The 15th ACM Symposium on Access Control Models and Technologies . 2010 : 45 - 54 .

BAUER L , GARRISS S , REITER M.K . Detecting and resolving policy misconfigurations in access-control systems [J ] . ACM Transactions on Information and System Security , 2011 , 14 ( 1 ).

DAS T , BHAGWAN R , NALDURG P . Baaz:a system for detecting access control misconfigurations [C ] // The 19th USENIX Security Symposium . 2010 : 161 - 176 .

SCHLEGELMILCH J , STEFFENS U . Role mining with Oracle [C ] // The 10th ACM Symposium on Access Control Models and Technologies . 2005 : 168 - 176 .

VAIDYA J , ATLURI V , WARNER J . Roleminer:mining roles using subset enumeration [C ] // The 13th ACM Conference on Computer and Communications Security . 2006 : 144 - 153 .

MOLLOY I , CHEN H , LI T et al . Mining roles with semantic meanings [C ] // The 13th ACM Symposium on Access Control Models and Technologies . 2008 : 21 - 30 .

FRANK M , BUHMAN J M , BASIN D . Role mining with probabilistic model [J ] . ACM Transactions on Information and System Security , 2013 , 15 ( 4 ).

HARIKA P , NAGAJYOTHI M , JOHN J C , et al . Meeting cardinality constraints in role mining [J ] . IEEE Transactions on Dependable and Secure Computing , 2015 , 12 ( 1 ): 71 - 84 .

JAFARIAN J H , TAKABI H , TOUATI H , et al . Towards a general framework for optimal role mining:a constraint satisfaction approach [C ] // The 20th ACM Symposium on Access Control Models and Technologies . 2015 : 211 - 220 .

LUXBURG U V . A tutorial on spectral clustering [J ] . Statistics and Computing , 2007 , 17 ( 4 ): 395 - 416 .

ZELNIK-MANOR L . Self-tuning spectral clustering [J ] . Advances in Neural Information Processing Systems , 2004 , 14 : 1601 - 1608 .

YAN J , CHENG D , ZONG M , et al . Improved spectral clustering algorithm based on similarity measure [C ] // The 10th International Conference on Advanced Data Mining and Applications . 2014 : 641 - 654 .

GHOSHDASTIDAR D , DUKKIPATI A . Spectral clustering using multilinear svd:Analysis,approximations and applications [C ] // The 29th Conference on Artificial Intelligence . 2015 : 2610 - 2616 .

LU H , FU Z , SHU X . Non-negative and sparse spectral clustering [J ] . Pattern Recognition , 2014 , 47 ( 1 ): 418 - 426 .

孔万增 , 孙志海 , 杨灿 , 等 . 基于本征间隙与正交特征向量的自动谱聚类 [J ] . 电子学报 , 2010 , 38 ( 8 ): 1880 - 1885 .

KONG W Z , SUN Z H , YANG C , et al . Automatic spectral clustering based on eigengap and orthogonal eigenvector [J ] . Acta Electronica Sinica , 2010 , 38 ( 8 ): 1880 - 1885 .

STOLLER S D , YANG P , RAMAKRISHNAN C R , et al . Efficient policy analysis for administrative role based access control [C ] // The 2007 ACM Conference on Computer and Communications Security . 2007 : 445 - 455 .

ENE A , HORNE W , MILOSAVLJEVIC N , et al . Fast exact and heuristic methods for role minimization problems [C ] // The 13th ACM Symposium on Access Control Models and Technologies . 2008 : 1 - 10 .

YIN L , FANG L , NIU B , et al . Hunting abnormal configurations for permission-sensitive role mining [C ] // The 2016 IEEE Military Communications Conference . 2016 : 1004 - 1009 .

浏览量

1022

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

面向云存储且支持重加密的多关键词属性基可搜索加密方案

基于区块链的噪声化数据分享控制协议

基于多层次特征的RoQ隐蔽攻击无监督检测方法

雾计算中基于无配对CP-ABE可验证的访问控制方案

雾计算中细粒度属性更新的外包计算访问控制方案